SOC 2 compliance in Canada is growing larger each year as more and more Canadian companies are being asked for assurances of their internal control environments regarding services they provide to customers. From data centers to Software as a Service (SaaS) entities – and more – SOC 2 compliance in Canada is here to stay. With that said, take note of the following five (5) important elements regarding SOC 2, ranging from its background to pricing, and more.
1. Learn about the five (5) Trust Services Principles (TSP). The SOC 2 trust principles consist of the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
2. Changes are in place for SOC 2 compliance for Canada businesses. The SOC 2 Trust Principles are part of the AICPA Service Organization Control (SOC) framework, which allows for three (3) reporting options – SOC 1, SOC 2, and SOC 3. SOC 2 has quickly become the global “go to” assessment standard for technology service organizations in Canada, data centers, SaaS entities, software development organizations, and many other businesses, are an excellent for the SOC 2 framework.
And if you are curious as to the SOC 1 vs. SOC 2 debate, SOC 1 reporting “should” be used primarily for reporting on service organizations exhibiting a close affiliation with the concept known as “Internal Controls over Financial Reporting (ICFR). Think banks, trust departments, actuaries – companies that truly have financial implications within their internal controls. We at NDB preface “should” because many service organizations are still being issued SOC 1 reports when they’re really a candidate for SOC 2 reporting. However, this is changing as more and more companies are becoming much more educated on the entire AICPA Service Organization Control (SOC) framework, thus starting to realize the true benefits of SOC 2 reporting over SOC 1 reporting.
Now, back to SOC 2! For reporting periods on or after December 15, 2014, SOC 2 will consist of the following general areas:
- Organization and management
- Risk management and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations, and
- Change management
3. Policies and Procedures. One of the biggest – if not often the biggest – challenge for SOC 2 compliance is that of producing the large numbers of documented information security and operational specific policies and procedures being requested by auditors. It means spending untold numbers of hours authoring such documentation for ensuring compliance with the SOC 2 mandates. Companies are very good at what they do – or they wouldn’t be in business – but unfortunately also loathe authoring security policies. The solution is to use NDB’s complimentary SOC 2 Policy Packet containing dozens of SOC 2 specific templates, and is available to every client we work with. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance
The SOC 2 Policy Packet save service organizations literally hundreds of operational man-hours and thousands of dollars, ultimately making it one of the very best investments when hiring NDB. We’ll even go as far as saying that information security and operational policies and procedures are often the most significant and time-consuming aspect of the entire SOC 2 compliance audit. Furthermore, it’s not just about policies, it’s about putting in place the necessary procedures for ensuring SOC 2 compliance for Canadian companies.
Additionally, if you’re a Software as a Service (SaaS) organization, then having documented information security and operational policies and procedures is highly essential, thus all the more reason for engaging with NDB and receiving the complimentary SOC 2 Policy Packet today. Call Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at email@example.com.
4. Defining Scope. Remember that there are five (5) Trust Services Principles – (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality, and (5). Privacy. Thus, as a service organization, you’ll need to decide which of the five – one, a few, or all of them – are to be included within the scope of your SOC 2 assessment. How to decide – by carefully understanding your specific business platform and balancing that with the reporting needs of intended users of the report. SOC 2 reports for Canadian Software as a Service (SaaS) entities, for example, most certainly include the TSP’s of “security” and “availability”, while a SOC 2 assessment for a healthcare company should assess against the “confidentiality” and “privacy” Trust Service Principles (TSP). Again, scoping and choosing the correct TSP’s are a big part of SOC 2 compliance for Canadian companies.
5. It’s an Annual Commitment. If you’re being asked to become SOC 2 compliance by a customer, regulatory body, or any other significant entity, then welcome to the world of regulatory compliance. More specifically, get used to the SOC 2 compliance mandate on an annual basis, which means you should seek out a qualified and reputable CPA firm who can provide a 3 or 5 year fixed fee proposal. From Vancouver to St. Catharines – and many other locations throughout Canada – NDB has a well-established track record of providing high-quality, fixed fee regulatory compliance audits, so contact us today.
Call Christopher Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at firstname.lastname@example.org, to learn more about NDB SOC 2 Canada service, along with our numerous other regulatory compliance offerings, such as SOC 1 and SOC 3 assessments, PCI DSS compliance, HIPAA compliance, and much more. Don’t forget that NDB also offers a complimentary SOC 2 Policy Packet for Canadian businesses seeking to become SOC 2 compliant.